How to Manage Expectations in Internal Security Leadership Roles

I’ve seen numerous friends and acquaintances take and serve in upper-level security roles inside large companies. By this I mean director, VP, or CISO type roles in organizations with more than like 5,000 employees.

These are roles where the actual infosec aspects are often dwarfed considerably by politics and budget, and where success or failure can hinge upon a string of bad meetings or bad luck, or simply not having the right allies.

Or, even more commonly and dangerously, not having any management support whatsoever.

I’ve long noticed this pattern, and I have developed a formula for handling such opportunities and/or positions, both for my friends and for myself if and when I decide to go that route.

Rules of InfoSec Politics Fight Club

There are two types of organization: 1) organizations where you can change the way they do things for the better because they trust you and/or the position and are willing to listen to your leadership, and 2) organizations that are just hiring a new person to say no to

You must, at all times, know which of these organizations you are in

If you are in the first (full management support), put your soul into it, and if you get pushback, navigate it with optimism and positivity

If you are in the second (little to no management support), treat the 12 to 24 months that you are there as a LinkedIn paragraph that has not yet been written. Do your best to move the needle, even though you know nobody there cares

Every month, re-evaluate which type of organization you are in and adjust accordingly. If you were in the full management support one, but now you’re not, switch gears. Save your soul and work on your LinkedIn bullets. Do good work, but disconnect emotionally

If something crazy happens and you were in the soul-crusher before, but now you actually have support, switch gears and put your heart into your work again. But remember to re-check again in another month

Finally, if you are interviewing at a place, and they’re telling you about how much support you’ll have, find a way to talk to the person going out. Find the last two or three people. Talk to them. Find out if it’s actually a soul-crusher when they say it’s a land of infinite support and encouragement

Summary

You can benefit from both soul-crusher and idealistic infosec leadership roles; the drama comes from not identifying which you are dealing with

If it’s a soul-crusher, and you still want the job, just stay emotionally disconnected and you’ll be fine. Lay out a project plan and execute it. Get some wins for the business and for your resume. Do NOT let yourself care about what people say or think

If it’s a true opportunity to make change, embrace it and do as much as you can, but be on the lookout for the tide to change towards nobody caring. If that happens, convert to soul-crusher mode to protect your own mental health

This is how to navigate Director-CISO positions in large organizations. Know what you’re dealing with and adjust your expectations and emotional engagement accordingly.